These agencies are not only interested in whether a digital asset is
untouched (for which we assign a hash), but also in who has had access
to any given file and what they did with it (read, write, ???.).

The number of files could be in the millions, far too many to add a rule for each file.

Building a rule for each user is not only operationally undesirable it
would also mean that if those users actually logged into the server
every file they accessed would be logged, not just the files we care
about.

We want/need to catch all access to the files in our directory
structure including any management/administrative access, therefore we
would like *all* users access to these files logged, not just a subset
of common (non-admin) users.